A new piece of malware that can spy on a user’s computer has been discovered, Wiredreports, with researchers also having found a clever way for the program to communicate with its creators: Google’s popular Gmail email service.
Security startup Shape Security says it found a new strain of malware that’s able to read instructions from Gmail drafts and respond to the hacker’s commands without the user actually noticing anything happening on the computer.
“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” Shape security researcher Wade Williamson said. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.”
For everything to work, hackers first set up an anonymous Gmail account, and then infect a target computer with the malware. After gaining control of the computer, the hacker will remotely open an invisible instance of Internet Explorer in which the Gmail account is loaded.
Once that’s done, information can be passed back and forth using the drafts folder. The malware uses a Python script to retrieve commands and code entered into the draft field, and then it can respond in Gmail drafts and can include the data it wants to steal.
The malware is apparently a variant of an existing trojan called Icoscript first found by security firm G-Data in August. Icoscript has been infecting computers since 2012, using Yahoo Mail to hide its command and control, before switching to Gmail drafts recently.
It’s not clear how many machines have been infected by this malware strain, and there’s no way of easily detecting it, Shape says.
Google has not said anything about this particular attack, telling Wired that “our systems actively track malicious and programmatic usage of Gmail and we quickly remove abusive accounts we identify.”